EAP-TTLS/PAP -> LDAP for WPA2
John Allman
allmanj at cp.dias.ie
Thu Jul 6 18:56:47 CEST 2006
A.L.M.Buxey at lboro.ac.uk wrote:
> "captive portal" - there are several software tools that will do this...
> eg http://en.wikipedia.org/wiki/Captive_portal
>
> most people seem to be moving away from this method as it is riddled with
> possible security compromises.
>
Thanks for the heads-up. I'll take a look at it, but keep in mind the
possible security implications (i'll google).
> PAP uses clear text (unencrypted) password authentication. whilst
> the EAP-TTLS traffic is encrypted (and the PAP lurks inside that encrypted
> session) when you CAN see the PAP in the clear is when its being sent
> over to LDAP - so you need to make sure that that communication is
> encrpyted...either by making sure its configured to use SSL for its
> communication channel...or simply 'stunnel'ing the traffic.
>
>> start_tls = no
> ^^^^^^^^^^^^^^
>
> this!
>
As mentioned in my reponse to Stefan, this is not a concern for me as
they're on the same host communicating exclusively over the loopback
interface.
On a side-note, I've now noticed that radius doesn't appear to be
respecting my ldap filter. base_filter = "(objectclass=radiusprofile)"
but i can authenticate as a user without a radiusprofile attribute.
Ideas?
Thanks,
John
More information about the Freeradius-Users
mailing list